US10594668B1ActiveUtility

Crypto Cloudlets

84
Assignee: THALES ESECURITY INCPriority: Dec 1, 2016Filed: Feb 10, 2017Granted: Mar 17, 2020
Est. expiryDec 1, 2036(~10.4 yrs left)· nominal 20-yr term from priority
H04L 9/0897H04L 2209/805H04L 9/0861H04L 63/083H04L 63/166H04L 63/045H04L 9/0894H04L 2463/041
84
PatentIndex Score
11
Cited by
26
References
17
Claims

Abstract

In one embodiment, a crypto cloudlet is provided that includes a security wrapper to a virtual machine to guarantee secure Input/Output exchange between a client and one or more cryptographic adaptive services powered by a set of virtual CPUs through a single well defined channel, an adaptive service running in the virtual machine that identifies hardware resources necessary to satisfy a cryptographic demand or request, and an Ethernet interface communicatively coupled to the security wrapper providing network channel services for exchange of cryptographic data and commands. The security wrapper presents to the adaptive services the hardware accelerators exposed by the virtual machine. Other embodiments are disclosed.

Claims

exact text as granted — not AI-modified
What is claimed, is: 
     
       1. A computer program product comprising a non-transitory computer readable medium storing program code to be executed by at least one computer processing unit (CPU) in a computational environment, whereby execution of the program code causes the at least one CPU to execute a crypto cloudlet by performing operations comprising:
 securing execution of crypto services in the computational environment via a security wrapper shell of the crypto cloudlet, the security wrapper shell including a set of components configured to enable crypto features to securely execute cryptographic operations within a virtual machine; 
 providing, via at least the security wrapper shell, a secure input/output exchange between a client and the virtual machine by limiting input/output through the secure input/output exchange to input/outputs to which the crypto cloudlet was created; 
 dynamically adjusting, via at least the security wrapper shell, access control to hardware resources running on the virtual machine; 
 communicating crypto data and commands from the client to the virtual machine through the security wrapper shell via an interface coupled to components in the set of components; and 
 executing an adaptive service of the crypto cloudlet, the adaptive service comprising a set of modules configured to support crypto operations and identify hardware resources required to satisfy cryptographic demands according to cryptographic request loading, wherein the adaptive service is configured to:
 assess a latency of the hardware resources running on the virtual machine based on performance of the hardware resources over a period of time; 
 estimate a processing performance required to meet a latency requirement; and 
 adaptively switch between hardware accelerated cryptographic operations and software based cryptographic operations to satisfy a timely cryptographic request from a host based on the processing performance required. 
 
 
     
     
       2. The computer program product of  claim 1  wherein the non-transitory computer readable medium includes further program code that when executed by the at least one CPU causes the at least one CPU to perform operations comprising:
 providing, via at least the security wrapper shell, the secure Input/Output exchange between the client and the hardware resources identified through a single defined channel; and 
 controlling access to the hardware resources identified via at least the interface, 
 where the hardware resources required to satisfy the cryptographic demands include the at least one CPU and when available: co-processors, cryptographic accelerators and sensors. 
 
     
     
       3. The computer program product of  claim 2 , wherein the non-transitory computer readable medium includes further program code that when executed by the at least one CPU causes the at least one CPU to perform operations comprising:
 limiting, via at least the security wrapper shell, secure Input/Output exchanges only those exchanges for which the crypto cloudlet was created, and 
 providing, via at least the security wrapper shell, tampering protection from non-authorized elements. 
 
     
     
       4. The computer program product of  claim 2 , the non-transitory computer readable medium includes further program code that when executed by the at least one CPU causes the at least one CPU to perform operations comprising:
 supporting resource-intensive and interactive client applications by providing computer resources to the client with lower latency through adaptation of selecting hardware accelerators available on the hardware resources, 
 providing a fixed service through a software Applications Programming Interface (API) available in the crypto cloudlet, and 
 wherein the client is at least one of: a computational device, a mobile device, or a Transmission Control Protocol/Internet Protocol (TCP/IP) enabled device. 
 
     
     
       5. The computer program product of  claim 4 , where the fixed service is configured to:
 decouple hardware dependencies including one among a security processor and one or more hardware accelerators, and 
 decouple corresponding hardware drivers replaced by an equivalent software solution in a corresponding architecture within the computational environment. 
 
     
     
       6. The computer program product of  claim 4 , wherein the non-transitory computer readable medium includes further program code that when executed by the at least one CPU causes the at least one CPU to perform operations comprising at least one of the following operations:
 providing isolation between untrusted user-level computations; 
 performing mechanisms for authentication, access control, and metering; 
 performing dynamic resource allocation for user-level computations; and 
 performing adaptation of resource utilized for system operation responsive to workload demand changes. 
 
     
     
       7. The computer program product of  claim 2 , wherein the non-transitory computer readable medium includes further program code that when executed by the at least one CPU causes the at least one CPU to perform operations comprising:
 executing a deployable element that installs the security wrapper shell and establishes a configuration for the security wrapper shell and the adaptive service to recognize the hardware resources identified, 
 where physical protection of the security wrapper shell is directly proportional to a cloud computing environment in which the security wrapper shell is deployed. 
 
     
     
       8. The computer program product of  claim 7 , where the deployable element operates to secure at least one of:
 an on-cloudlet secure cryptographic key generation; 
 an on-cloudlet secure cryptographic key storage and management; 
 an on-cloudlet use of cryptographic and sensitive data material; 
 an on-cloudlet offloading application servers for complete asymmetric and symmetric cryptography; and 
 an on-cloudlet management of Transparent Data Encryption keys for databases. 
 
     
     
       9. The computer program product of  claim 1 , wherein the non-transitory computer readable medium includes further program code that when executed by the at least one CPU causes the at least one CPU to perform operations comprising:
 enabling, via at least the security wrapper shell, secure execution of accelerated cryptographic operations provided by a set of hardware components in the computational environment. 
 
     
     
       10. The computer program product of  claim 1 , wherein the non-transitory computer readable medium includes further program code that when executed by the at least one CPU causes the at least one CPU to perform operations comprising: enabling, via at least the security wrapper shell, detection of an abnormal event exposed by at least one of a set of sensors in the computational environment, the abnormal event including a tampering event. 
     
     
       11. The computer program product of  claim 1 , wherein the adaptive service selects between one of:
 software supported crypto operations available within the crypto cloudlet; and 
 hardware accelerated crypto operations exposed through hardware resources provided via the virtual machine. 
 
     
     
       12. The computer program product of  claim 1 , wherein the adaptive service is further configured to expand crypto utilities in accordance with a configuration between the virtual machine and hardware resources of the virtual machine. 
     
     
       13. The computer program product of  claim 1  wherein the at least one CPU performs the operations in a Virtual Security Module (VSM) running on the computational environment, the VSM configured to reference a set of crypto software features and customizations and apply the set of crypto software features and customizations to the virtual machine to secure and control input and output of the virtual machine. 
     
     
       14. A method by a hardware server for executing a crypto cloudlet, the method comprising:
 wrapping a virtual machine to guarantee secure input/output exchange between a client and one or more virtual computer processing units (CPUS) via a security wrapper shell; 
 identifying hardware resources necessary to satisfy a cryptographic demand via an adaptive service running in the virtual machine; 
 dynamically adjusting, via at least the security wrapper shell, access control to hardware resources running on the virtual machine; 
 exchanging crypto data and commands over a network channel service via an interface communicatively coupled to the security wrapper shell; 
 identifying hardware resources required to satisfy cryptographic demand according to cryptographic request loading; 
 assessing a latency of hardware resources running on the virtual machine based on performance of the hardware resources over a period of time; 
 estimating a processing performance required to meet a latency requirement; and 
 adaptively switching between hardware accelerated cryptographic operations and software based cryptographic operations to satisfy a timely cryptographic request from a host based on the processing performance required, 
 wherein the adaptive service binds the hardware resources exposed by the virtual machine to the crypto cloudlet. 
 
     
     
       15. The method of  claim 14 , further comprising:
 limiting secure Input/Output exchanges allowing only those exchanges for which the crypto cloudlet was created, and 
 providing tampering protection from non-authorized elements. 
 
     
     
       16. The method of  claim 14 , further comprising:
 installing the security wrapper shell of the crypto cloudlet and establishing a configuration for the security wrapper shell and the adaptive service of the crypto cloudlet to recognize the hardware resources identified, 
 wherein the installing of the security wrapper shell secures at least one of:
 an on-cloudlet secure cryptographic key generation; 
 an on-cloudlet secure cryptographic key storage and management; 
 an on-cloudlet use of cryptographic and sensitive data material; 
 an on-cloudlet offloading application servers for complete asymmetric and symmetric cryptography; and 
 an on-cloudlet management of Transparent Data Encryption keys for databases. 
 
 
     
     
       17. A computer program product comprising a non-transitory computer readable medium storing program code to be executed by at least one computer processing unit (CPU) in a computational environment, whereby execution of the program code causes the at least one CPU to execute a crypto cloudlet by performing operations comprising:
 securing execution of crypto services in the computational environment via a security wrapper shell of the crypto cloudlet, the security wrapper shell including a set of components configured to enable crypto features to securely execute cryptographic operations within a virtual machine; 
 providing, via at least the security wrapper shell, a secure input/output exchange between a client and the virtual machine by limiting input/output through the secure input/output exchange to input/outputs to which the crypto cloudlet was created; 
 dynamically adjusting, via at least the security wrapper shell, hardware resources including CPU cores, co-processors, cryptographic accelerators and sensors available to the virtual machine to optimize execution of said cryptographic operations; and 
 executing an adaptive service of the crypto cloudlet, the adaptive service comprising a set of modules configured to identify and meter characteristics of said hardware resources, and enable said characteristics in the crypto cloudlet as said crypto features, said characteristics including one or more of crypto processing speed, performance, scalability and loading on said hardware resources to optimize said execution in said virtual machine, 
 where said set of modules are configured to support said cryptographic operations to satisfy cryptographic demands of the client by: 
 assessing a latency of the hardware resources running on the virtual machine based on performance of the hardware resources over a period of time; 
 estimating a processing performance required to meet a latency requirement; and 
 adaptively switching between hardware accelerated cryptographic operations and software based cryptographic operations to satisfy a timely cryptographic request from the client based on the processing performance required.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.